Global Medical REIT Inc. 10-K Cybersecurity GRC - 2024-02-28

Page last updated on April 11, 2024

Global Medical REIT Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-28 16:07:24 EST.

Filings

10-K filed on 2024-02-28

Global Medical REIT Inc. filed an 10-K at 2024-02-28 16:07:24 EST
Accession Number: 0001558370-24-002000

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Information about cybersecurity risks and our risk management processes is collected, analyzed and considered as part of our overall enterprise risk management. The Company recognizes the critical importance of maintaining the trust and confidence of our tenants and business partners. The Board plays an active role in overseeing management of our risks, and cybersecurity represents an important component of the Company s overall approach to risk management and oversight. We believe we have built a strong and collaborative risk management culture focused on awareness which supports appropriate understanding and management of our key risks. Each employee is accountable for identifying, monitoring and managing risk within their area of responsibility. The Company maintains cybersecurity prevention and response plans and procedures (the Cybersecurity Policies ) that set forth the Company s plan to prevent, manage, report and resolve cybersecurity events. The Cybersecurity Policies set forth the Company s policies and procedures for cybersecurity event prevention, including the Company s (i) network and computer systems acceptable use policy, (ii) data backup procedures, (iii) business continuity plan, (iii) data retention policy, (iv) disaster recovery plan, (v) email use and security policy, (vi) network change management procedures, and (vii) password and authentication requirements policy. The Cybersecurity Policies also (i) provide indicators that Company employees should be aware of to recognize a cybersecurity event, (ii) outline the roles and responsibilities for Company employees and other third parties with respect to the Company s cybersecurity incident response team ( CSIR Team ), (iii) set forth the steps to take in response to a cybersecurity incident, including reporting the incident, investigating the incident, preserving non-affected systems and data, informing, as appropriate, Senior Management (as defined below), insurance carriers, law enforcement and other parties that may be affected by the incident and (iv) maintaining business continuity. The Company s President and Chief Executive Officer, Chief Financial Officer and Treasurer, Chief Operating Officer and General Counsel and Secretary ( Senior Management ) are responsible for assessing and managing cybersecurity risks with the support of the entire CSIR Team, led by the Director of Operations/Risk Management. The Director of Operations/Risk Management is the 33 Table of Contents primary lead for monitoring the prevention, detection, mitigation and remediation of cybersecurity threats and incidents and ensuring that the Cybersecurity Policies are followed. Senior Management works collaboratively with the Director of Operations/Risk Management and the entire CSIR Team to implement a program designed to protect the Company s information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents in accordance with the Cybersecurity Policies. The CSIR Team also includes a third-party, on-demand IT support team, a Primary IT Support Contact, who is the technical response lead, a Primary Communications Contact responsible for handling external communications during and after an incident, as well as other delineated primary contacts in areas including, but not limited to, HR, Legal, Accounting, Asset Management and Acquisitions. Pursuant to the Cybersecurity Policies, information security incidents must be reported, without delay, to the IT support team or the Director of Operations/Risk Management, who will then advise Senior Management of the incident. Senior Management will then report such threats and incidents to the Audit Committee, when appropriate. Risk Management and Strategy The Company s cybersecurity program is focused on the following key areas: Governance : As discussed in more detail under Item 1C. Cybersecurity Governance, the Board s oversight of cybersecurity risk management is supported by the Audit Committee of the Board (the Audit Committee ), which regularly interacts with the Company s management team. Collaborative Approach : The Company has implemented a comprehensive, cross-functional approach to identifying, preventing and mitigating cybersecurity threats and incidents, while also implementing controls and procedures that provide for the prompt escalation of certain cybersecurity incidents so that decisions regarding the public disclosure and reporting of such incidents can be made by management in a timely manner. Technical Safeguards : The Company deploys technical safeguards that are designed to protect information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality and access controls, which are evaluated and improved through vulnerability assessments and cybersecurity threat intelligence. Incident Response and Recovery Planning : The Company has established and maintains comprehensive incident response and recovery plans that fully address the response to a cybersecurity incident, and such plans are tested and evaluated on a regular basis. Third-Party Risk Management : The Company maintains a comprehensive, risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including vendors, service providers and other external users of the Company s systems, as well as the systems of third parties that could adversely impact the Company s business in the event of a cybersecurity incident affecting those third-party systems. Education and Awareness : The Company provides regular, mandatory training for personnel regarding cybersecurity threats as a means to equip personnel with effective tools to address cybersecurity threats, and to communicate evolving information security policies, standards, processes and practices. The Company engages in the periodic assessment and testing of its policies, standards, processes and practices that are designed to address cybersecurity threats and incidents. These efforts include a wide range of activities, including audits, assessments, tabletop exercises, threat modeling, vulnerability testing and other exercises focused on evaluating the effectiveness of the Company s cybersecurity measures and planning. The Company regularly engages third parties to perform assessments on its cybersecurity measures, including information security maturity assessments and independent reviews of the Company s information security control environment and operating effectiveness. The results of such assessments and reviews are reported to the Audit Committee and the Board, and the Company adjusts its cybersecurity policies, standards, processes and practices as necessary based on the information provided by these assessments and reviews. 34 Table of Contents Governance The Board, in coordination with the Audit Committee, oversees the Company s cybersecurity risk management process. The Audit Committee has adopted a charter that provides that the Audit Committee has duties and responsibilities with respect to the oversight of the Company s cybersecurity risk protocol (which includes oversight of risk assessment, risk management plan and process to control/monitor, business continuity plan, incident response, and disaster recovery). There can be no assurance that our cybersecurity risk management program and processes, including our policies, controls or procedures, will be fully implemented, complied with or effective in protecting our systems and information. To date, cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected and are not reasonably likely to affect the Company, including its business strategy, results of operations or financial condition. We face certain ongoing risks from cybersecurity risks that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. See Risk Factors - We, our tenants, and our property managers face risks associated with security breaches through cyber-attacks, cyber-intrusions, or otherwise, as well as other significant disruptions of information technology networks and related systems.
Item 1C. Cybersecurity Governance, the Board s oversight of cybersecurity risk management is supported by the Audit Committee of the Board (the Audit Committee ), which regularly interacts with the Company s management team. Collaborative Approach : The Company has implemented a comprehensive, cross-functional approach to identifying, preventing and mitigating cybersecurity threats and incidents, while also implementing controls and procedures that provide for the prompt escalation of certain cybersecurity incidents so that decisions regarding the public disclosure and reporting of such incidents can be made by management in a timely manner. Technical Safeguards : The Company deploys technical safeguards that are designed to protect information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality and access controls, which are evaluated and improved through vulnerability assessments and cybersecurity threat intelligence. Incident Response and Recovery Planning : The Company has established and maintains comprehensive incident response and recovery plans that fully address the response to a cybersecurity incident, and such plans are tested and evaluated on a regular basis. Third-Party Risk Management : The Company maintains a comprehensive, risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including vendors, service providers and other external users of the Company s systems, as well as the systems of third parties that could adversely impact the Company s business in the event of a cybersecurity incident affecting those third-party systems. Education and Awareness : The Company provides regular, mandatory training for personnel regarding cybersecurity threats as a means to equip personnel with effective tools to address cybersecurity threats, and to communicate evolving information security policies, standards, processes and practices. The Company engages in the periodic assessment and testing of its policies, standards, processes and practices that are designed to address cybersecurity threats and incidents. These efforts include a wide range of activities, including audits, assessments, tabletop exercises, threat modeling, vulnerability testing and other exercises focused on evaluating the effectiveness of the Company s cybersecurity measures and planning. The Company regularly engages third parties to perform assessments on its cybersecurity measures, including information security maturity assessments and independent reviews of the Company s information security control environment and operating effectiveness. The results of such assessments and reviews are reported to the Audit Committee and the Board, and the Company adjusts its cybersecurity policies, standards, processes and practices as necessary based on the information provided by these assessments and reviews. 34 Table of Contents Governance The Board, in coordination with the Audit Committee, oversees the Company s cybersecurity risk management process. The Audit Committee has adopted a charter that provides that the Audit Committee has duties and responsibilities with respect to the oversight of the Company s cybersecurity risk protocol (which includes oversight of risk assessment, risk management plan and process to control/monitor, business continuity plan, incident response, and disaster recovery). There can be no assurance that our cybersecurity risk management program and processes, including our policies, controls or procedures, will be fully implemented, complied with or effective in protecting our systems and information. To date, cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected and are not reasonably likely to affect the Company, including its business strategy, results of operations or financial condition. We face certain ongoing risks from cybersecurity risks that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. See Risk Factors - We, our tenants, and our property managers face risks associated with security breaches through cyber-attacks, cyber-intrusions, or otherwise, as well as other significant disruptions of information technology networks and related systems.

Company Information